If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Numerous Vulnerability Assessment (VA) tools are available for security engineers, pen-testers and network administrators. Their results are mostly trusted by users since they don't have time nor competences to validate that output.

More and more softwares are currently implementing some banners and error messages that depend on the language. Especially for commercial softwares, like Microsoft SQL Server or the Windows operating system.

Some VA tools don't integrate this localization feature and so generate false-negatives. It can thus lead to a false sense of security. Some exploit work on the English as well as on some non-English versions, it then constitutes a security breach.

We chose to demonstrate those security exposures on Microsoft SQL Server with the "SQL Server blank password" vulnerability.

Please note that this is not the only issue :

- Some problems were found when VA tools began to detect the IIS/Unicode vulnerability, like the unicoder.pl script of HD Moore, which is looking for the localizable string "Directory of" [1].

- The admin account on Windows operating systems depends on the localization. On English-speaking versions, the name is "Administrator", whereas on French version (for example), it is "Administrateur". This leads to issues on brute-force attacks.

A pratical example
==================

Introduction
============

Microsoft SQL Server is a perfect choice to test VA tools about localization issues because it is widely deployed, it depends on the localization and it is vulnerable to some well-known security flaws.

Testing conditions
==================

First, we set up default installations of Microsoft SQL Server 2000 on Win2K SP3, in the following languages :
- English
- French
- German
- Japan
The "sa" admin account was set with a blank password.

We tested every VA tools from our panel on the English version looking for the vulnerability CAN-2000-1209 ("MS-SQL blank password"). Products which found this breach were then tested on the other languages.

- Vigilante Secure NX :
Work in progress on the editor side ...
- eEye Retina Scanner :
Work in progress on the editor side ...
- Nessus :
We provided the Nessus team with some patches which were
integrated to the related plugins
- Sensepost senseql :
A new release is available at [4]

Conclusion
==========

In our opinion, it's now up to VA tools editors to take into account the localization issues when developping pattern matching signatures. Of course, security engineers and consultants should review every scan reports for false-positives. They should also run several tools in order to better detect false-negatives. A good way to avoid these problems would be to check vulnerabilies at an application level, like the SQLpoke exploit code.